SlowMist|Feb 03, 2026 03:27
🚨 Threat Intelligence | Analysis of Token Vesting Phishing Poisoning 🚨
Recently, @ChainbaseHQ detected a phishing email campaign disguised as “audit/compliance confirmation” and shared the sanitized samples with the SlowMist team. We jointly analyzed the campaign and confirmed it as a highly targeted macOS attack combining social engineering + multi-stage fileless malware.
Attackers lure victims by asking them to “confirm the company’s legal English name,” then follow up with emails titled “FY2025 External Audit” or “Token Vesting Confirmation – deadline”, delivering malicious Word/PDF attachments. Once opened, victims are guided step-by-step into executing the attack themselves.
🔍 Key findings from our analysis:
🔹The attachment uses a double extension (e.g. Confirmation_Token_Vesting.docx.scpt) — it looks like a DOCX, but is actually an AppleScript
🔹The script fakes macOS update/repair screens to lower suspicion
🔹It steals system passwords via realistic system pop-ups and validates them locally before exfiltration
🔹It attempts to bypass macOS TCC protections, silently granting itself access to files, screen recording, keyboard events, camera, etc.
🔹A Node.js backdoor is deployed, enabling remote command execution and dynamic payload delivery
🔹Infrastructure relies on throwaway domains (e.g. sevrrhst[.]com) tied to a broader malicious cluster
⚠️ This is not a simple info-stealer — it’s a full intrusion chain abusing legitimate system tools, memory-resident stages, and dynamically delivered code, making detection far harder than traditional malware.
🛡️ If you opened the attachment or entered your system password: Immediately disconnect from the network, reset macOS TCC permissions, and check for suspicious AppleScript / Node.js processes.
📖 Full technical breakdown & IOCs here:👇
https://slowmist.medium.com/threat-intelligence-analysis-of-token-vesting-phishing-poisoning-50f39f5b9718(SlowMist)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink